![]() These are FacexWorm’s malicious behaviors: Traffic pattern of FacexWorm’s C&C communication Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage.įigure 4. It downloads additional JavaScript code from the C&C server when the browser is opened. When accessed through browsers other than Chrome’s desktop version, the malicious link will instead divert to a random advertisement.įacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine. It then performs a sequence of queries to Facebook to obtain the account’s friend list and sends fake YouTube video links again to contacts who are in online or idle status. If it is enabled, FacexWorm will request an OAuth access token from Facebook. Once the extension detects that Facebook is open, it will communicate with its C&C server again to check if the propagation function is enabled. Once installed and granted permission, FacexWorm will download additional malicious codes from its command-and-control (C&C) server and open Facebook’s website. Fake YouTube page asking users to install FacexWormįigure 3. It will then request privilege to access and change data on the opened website.įigure 2. The links redirect to a fake YouTube page that will ask unwitting users to agree and install a codec extension (FacexWorm) in order to play the video on the page. While we’ve so far only found one Bitcoin transaction compromised by FacexWorm when we checked the attacker’s address/wallet, we don’t know how much has been earned from the malicious web mining.įacexWorm is delivered through socially engineered links sent to Facebook Messenger. It also redirects would-be victims to cryptocurrency scams, injects malicious mining codes on the webpage, redirects to the attacker’s referral link for cryptocurrency-related referral programs, and hijacks transactions in trading platforms and web wallets by replacing the recipient address with the attacker’s. But now it can also steal accounts and credentials of FacexWorm’s websites of interest. ![]() It retains the routine of listing and sending socially engineered links to the friends of an affected Facebook account, just like Digmine. Our analysis reveals FacexWorm’s capabilities were made over. Last April 8, however, we noticed a spike in its activities that coincided with external reports of FacexWorm surfacing in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain. It was uncovered in August 2017, though its whys and hows were still unclear at the time. A very small percentage of users were affected by these malicious extensions, and Chrome had already removed many of these extensions prior to being alerted by Trend Micro.įacexWorm isn’t new. You can look for alternatives in Add-ons.Our Cyber Safety Solutions team identified a malicious Chrome extension we named FacexWorm, which uses a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and propagates via Facebook Messenger. This program can no longer be downloaded. ![]() This Facebook Messenger extension for Chrome works fine, but it's pretty pointless! The only advantage of it is you can avoid the many possible distractions Facebook has to offer (except your messages, obviously). Everything this extension does is done better and more conveniently through the website. ![]() If you could be logged into the extension without being logged into the website, this might be justifiable, but as it stands it is totally redundant. It uses system resources, making Chrome just that little bit slower, and adds a button to Chrome, taking up space. Only for the easily distractedįacebook Messenger extension for Chrome works, but begs the question "why?" There are no reasons to use it. ![]() You must be logged into Facebook through Chrome to use it - so if you are on the website and log out, you will no longer get messenger notifications with this extension. In this window you'll see all your messages, and can reply to them just like on the site. This Facebook Messenger extension adds a button to the browser, which opens a new window when clicked. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |